b'Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\n     HIGH-RISK SECURITY\n  VULNERABILITIES IDENTIFIED\nDURING REVIEWS OF INFORMATION\nTECHNOLOGY GENERAL CONTROLS\n AT STATE MEDICAID AGENCIES\n\n\n\n\n  Inquiries about this report may be addressed to the Office of Public Affairs at\n                           Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                  Daniel R. Levinson\n                                                   Inspector General\n\n                                                      March 2014\n                                                     A-07-14-00433\n\x0c                        Office of Inspector General\n                                        https://oig.hhs.gov/\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at https://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                      EXECUTIVE SUMMARY\n\n High-risk security vulnerabilities we identified during reviews of information system\n general controls at 10 State Medicaid agencies raise concerns about the integrity of the\n systems used to process Medicaid claims.\n\n\nWHY WE DID THIS REVIEW\n\nHigh-risk security vulnerabilities we identified during previous, restricted reviews of information\nsystem general controls at 10 State Medicaid agencies (State agencies) raise concerns about the\nintegrity of the systems used to process Medicaid claims. The integrity of the State agencies\xe2\x80\x99\nMedicaid systems depends on the effectiveness of the information system general controls,\nwhich are critical to the reliability, confidentiality, and availability of Medicaid data. Without\neffective general controls, State agencies are not able to adequately safeguard sensitive Medicaid\nsystems and data.\n\nThe Office of Inspector General\xe2\x80\x99s (OIG) review of information system general controls at 10\nState agencies conducted from 2010 through 2012 identified pervasive high-risk vulnerabilities.\nIn responding to OIG\xe2\x80\x99s work and in agreeing with the vast majority of OIG\xe2\x80\x99s recommendations,\nthe State agencies acknowledged the vulnerabilities and committed to addressing them. This\nreport aggregates the data from our series of audits while omitting details that could compromise\nthe security of any specific State agency system we audited. By doing so, the summary\ninformation presented in this report may increase public awareness of these pervasive\nvulnerabilities across State agencies and lead the Centers for Medicare & Medicaid Services\n(CMS) and all States to strengthen system security. OIG has identified the security of health\ninformation systems as a top challenge facing the Department and State agencies.\n\nThe objective of this review was to summarize the high-risk security vulnerabilities that we\nnoted as audit findings in our previous, restricted reviews of information system general controls\nas those vulnerabilities related to the Medicaid Management Information Systems (MMIS) at 10\nState agencies between calendar years 2010 and 2012.\n\nBACKGROUND\n\nWe have been conducting reviews of the information system general controls at State agencies to\nassess the integrity of State Medicaid systems for the last 12 years. We conducted these reviews\nusing selected procedures from the Government Accountability Office\xe2\x80\x99s Federal Information\nSystems Controls Audit Manual, which provides guidance in evaluating general controls over\ncomputer-processed data from information systems. Our audit reports on these reviews made\nrecommendations to the State agencies regarding the vulnerabilities that we had identified; in\nalmost all cases, the State agencies agreed with our recommendations and described corrective\nactions that they had taken or planned to take. We restricted the distribution of these reports to\nthe State agencies and the CMS action officials because of the sensitivity of the vulnerabilities in\nthe audit findings\xe2\x80\x94vulnerabilities that could have left State agencies\xe2\x80\x99 automated data processing\nsystems susceptible to exploitation or attack.\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433)   i\n\x0cInformation system general controls are the structure, policies, and procedures that apply to an\nentity\xe2\x80\x99s overall computer operations, ensure proper operations of information systems, and create\na secure environment for application systems. Some primary objectives of general controls are\nto safeguard data, protect computer applications, prevent unauthorized access to system software,\nand ensure continued computer operations after unexpected interruptions. General controls are\napplied at the entitywide level, the system level, and the business process application level.\n\nWHAT WE FOUND\n\nWe identified a total of 79 findings in the 10 State Medicaid agencies whose information system\ngeneral controls we audited between calendar years 2010 and 2012. We grouped these 79\nindividual findings into 15 security control areas within 3 information system general control\ncategories: entitywide controls, access controls, and network operations controls. In the area of\nentitywide controls, we identified significant and pervasive findings involving the need to\ndevelop or strengthen formal, comprehensive plans for system security, contingency planning,\nand configuration management, among other findings. Findings in the area of access controls\nincluded frequently-noted vulnerabilities related to logical access and user account management,\nlogin identification and authentication, and remote access. In the area of network operations\ncontrols, we identified significant and pervasive findings regarding the need for formalized\npolicies and procedures for network device management and patch management, among other\nfindings.\n\nIn some of the general control areas, we noted findings with similar vulnerabilities in different\nState agencies, which indicated that the vulnerabilities identified in these findings were systemic\nand pervasive. However, because we did not test all of the same information system general\ncontrols at each State agency and because we did not use a methodology that would permit us to\nextrapolate our findings to all State agencies, we cannot conclude that all Medicaid information\nsystem security environments have similar vulnerabilities.\n\nOfficials from several State agencies described some common causes when we discussed these\nfindings with them. They pointed most frequently to resource constraints that made information\nsystem security a lower priority. Officials also described a lack of formal policies and\nprocedures when explaining the causes of the vulnerabilities. The effectiveness of these\ninformation system general controls directly affects the State agencies\xe2\x80\x99 ability to sustain secure\nMedicaid systems.\n\nWHAT WE CONCLUDE\n\nThis review aggregates findings from the individual reports that show serious vulnerabilities in\nthe 10 States\xe2\x80\x99 MMIS. The State agencies advised us, in their comments on the individual\nrestricted reports on information system general controls, that they were addressing the\nvulnerabilities that we had identified. The fact that some of the vulnerabilities were shared\namong the 10 State agencies suggests that other State Medicaid information systems may be\nsimilarly vulnerable. Medicaid agencies\xe2\x80\x99 management should make information system security\na higher priority. We are continuing to conduct work in this area. This report is intended to\nprovide information to assist those State agencies and CMS in strengthening system security.\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) ii\n\x0c                                                     TABLE OF CONTENTS\n\n\nINTRODUCTION ...................................................................................................................... 1\n\n       Why We Did This Review .................................................................................................. 1\n\n       Objective ............................................................................................................................. 1\n\n       Background ......................................................................................................................... 1\n         Medicaid Program ........................................................................................................... 1\n         Information System General Controls ............................................................................ 2\n\n       How We Conducted This Review....................................................................................... 2\n\nFINDINGS .................................................................................................................................. 2\n\n       Entitywide Controls ............................................................................................................ 5\n         System Security Plan\xe2\x80\x94Eight Findings Identified .......................................................... 5\n         Encryption\xe2\x80\x94Eight Findings Identified........................................................................... 5\n         Contingency Planning\xe2\x80\x94Five Findings Identified .......................................................... 5\n         Configuration Management\xe2\x80\x94Five Findings Identified.................................................. 6\n         Inventory Tracking\xe2\x80\x94Three Findings Identified ............................................................. 6\n         Risk Assessments\xe2\x80\x94Three Findings Identified ............................................................... 6\n         Security Configuration Baselines\xe2\x80\x94Two Findings Identified......................................... 7\n\n       Access Controls .................................................................................................................. 7\n         Logical Access Rights\xe2\x80\x94Eight Findings Identified ........................................................ 7\n         Identification and Authentication\xe2\x80\x94Six Findings Identified........................................... 8\n         Remote Access\xe2\x80\x94Six Findings Identified ....................................................................... 8\n         Physical Security\xe2\x80\x94Five Findings Identified .................................................................. 8\n\n       Network Operations Controls ............................................................................................. 9\n         Network Device Management\xe2\x80\x94Nine Findings Identified ............................................. 9\n         Patch Management\xe2\x80\x94Six Findings Identified ................................................................. 9\n         Antivirus Deployment\xe2\x80\x94Three Findings Identified ...................................................... 10\n         Logging and Monitoring\xe2\x80\x94Two Findings Identified .................................................... 10\n\nCONCLUSION ......................................................................................................................... 10\n\nAPPENDIXES\n\n       A: Audit Scope and Methodology ................................................................................... 12\n\n       B: Federal Requirements for Information System Security ............................................. 13\n\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) iii\n\x0c                                           INTRODUCTION\n\nWHY WE DID THIS REVIEW\n\nHigh-risk security vulnerabilities we identified during previous, restricted reviews of information\nsystem general controls at 10 State Medicaid agencies (State agencies) raise concerns about the\nintegrity of the systems used to process Medicaid claims. The integrity of the State agencies\xe2\x80\x99\nMedicaid systems depends on the effectiveness of the information system general controls,\nwhich are critical to the reliability, confidentiality, and availability of Medicaid data. Without\neffective general controls, State agencies are not able to adequately safeguard sensitive Medicaid\nsystems and data.\n\nThe Office of Inspector General\xe2\x80\x99s (OIG) review of information system general controls at 10\nState agencies conducted from 2010 through 2012 identified pervasive high-risk vulnerabilities.\nIn responding to OIG\xe2\x80\x99s work and in agreeing with the vast majority of OIG\xe2\x80\x99s recommendations,\nthe State agencies acknowledged the vulnerabilities and committed to addressing them. This\nreport aggregates the data from our series of audits while omitting details that could compromise\nthe security of any specific State agency system we audited. By doing so, the summary\ninformation presented in this report may increase public awareness of these pervasive\nvulnerabilities across State agencies and lead the Centers for Medicare & Medicaid Services\n(CMS) and all States to strengthen system security. OIG has identified the security of health\ninformation systems as a top challenge facing the Department and State agencies.\n\nOBJECTIVE\n\nOur objective was to summarize the high-risk security vulnerabilities that we noted as audit\nfindings in our previous, restricted reviews of information system general controls as those\nvulnerabilities related to the Medicaid Management Information Systems (MMIS) at 10 State\nagencies between calendar years (CYs) 2010 and 2012.\n\nBACKGROUND\n\nMedicaid Program\n\nThe U.S. Department of Health and Human Services (HHS) oversees States\xe2\x80\x99 use of Federal\nentitlement benefits for the Medicaid program. Federal regulations require State agencies to\nestablish the appropriate automated data processing (ADP) security requirements on the basis of\nrecognized industry standards and standards governing security of Federal ADP systems and\ninformation processing (45 CFR \xc2\xa7 95).\n\nWe have been conducting reviews of the information system general controls at State agencies to\nassess the integrity of State Medicaid systems for the last 12 years. We conducted these reviews\nusing selected procedures from the Government Accountability Office\xe2\x80\x99s Federal Information\nSystems Controls Audit Manual, which provides guidance in evaluating general controls over\ncomputer-processed data from information systems. Our audit reports on these reviews made\nrecommendations to the State agencies regarding the vulnerabilities that we had identified; in\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 1\n\x0calmost all cases, the State agencies agreed with our recommendations and described corrective\nactions that they had taken or planned to take. We restricted the distribution of these reports to\nthe State agencies and the CMS action officials because of the sensitivity of the vulnerabilities in\nthe audit findings\xe2\x80\x94vulnerabilities that could have left State agencies\xe2\x80\x99 ADP systems susceptible\nto exploitation or attack.\n\nInformation System General Controls\n\nInformation system general controls are the structure, policies, and procedures that apply to an\nentity\xe2\x80\x99s overall computer operations, ensure proper operations of information systems, and create\na secure environment for application systems. Some primary objectives of general controls are\nto safeguard data, protect computer applications, prevent unauthorized access to system software,\nand ensure continued computer operations after unexpected interruptions. General controls are\napplied at the entitywide level, system level, and business process application level.\n\nThe effectiveness of general controls is a significant factor in determining the effectiveness of\nbusiness process application level controls. Without effective general controls at the entitywide\nand system levels, business process application level controls generally can be rendered\nineffective by circumvention or modification. General controls affect the integrity of the\nprogram and are critical to ensuring the confidentiality, integrity, and availability of data.\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe grouped the high- and moderate-impact audit findings from our previous, restricted reviews\nof information system general controls at 10 State agencies into 3 core categories of general\ncontrols: entitywide controls, access controls, and network operations security controls. Taken\ntogether, these groups of high- and moderate-impact audit findings identify high-risk\nvulnerabilities in the State agencies\xe2\x80\x99 MMIS. All of the vulnerabilities presented in this report\nwere noted in the previous reviews that we performed in CYs 2010, 2011, and 2012.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\nAppendix A contains details of our audit scope and methodology, and Appendix B contains a\ndetailed listing of the criteria used in the audits presented in this report.\n\n                                               FINDINGS\n\nWe identified a total of 79 findings in the 10 State Medicaid agencies whose information system\ngeneral controls we audited between CYs 2010 and 2012. We grouped these 79 individual\nfindings into 15 security control areas within 3 information system general control categories:\nentitywide controls, access controls, and network operations controls. In the area of entitywide\ncontrols, we identified significant and pervasive findings involving the need to develop or\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 2\n\x0cstrengthen formal, comprehensive plans for system security, contingency planning, and\nconfiguration management, among other findings. Findings in the area of access controls\nincluded frequently-noted vulnerabilities related to logical access and user account management,\nlogin identification and authentication, and remote access. In the area of network operations\ncontrols, we identified significant and pervasive findings regarding the need for formalized\npolicies and procedures for network device management and patch management, among other\nfindings.\n\nIn some of the general control areas, we noted findings with similar vulnerabilities in different\nState agencies, which indicated that the vulnerabilities identified in these findings were systemic\nand pervasive. However, because we did not test all of the same information system general\ncontrols at each State agency and because we did not use a methodology that would permit us to\nextrapolate our findings to all State agencies, we cannot conclude that all Medicaid information\nsystem security environments have similar vulnerabilities.\n\nOfficials from several State agencies described some common causes when we discussed these\nfindings with them. They pointed most frequently to resource constraints that made information\nsystem security a lower priority. Officials also described a lack of formal policies and\nprocedures when explaining the causes of the vulnerabilities. The effectiveness of these\ninformation system general controls directly affects the State agencies\xe2\x80\x99 ability to sustain secure\nMedicaid systems.\n\nThe table on the following page summarizes our findings and totals them by general control area\nand State agency.\n\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 3\n\x0c       Table: High- and Moderate-Impact Findings Totaled by General Control Area\n                              and State Medicaid Agency\n\n                                                                                State Medicaid Agency\n                                                                                                                                               Total\n\n\n\n\n                                                                                                      State G\n\n                                                                                                                State H\n                                        State A\n\n\n\n                                                            State C\n\n                                                                      State D\n                                                  State B\n\n\n\n\n                                                                                  State E\n\n                                                                                            State F\n\n\n\n\n                                                                                                                                    State J\n                                                                                                                          State I\n                                                                                                                                              Numbers\n                                                                                                                                                 of\n     General Control Areas                                                                                                                    Findings\n\nEntitywide Controls\nSystem security plan                              1         1                               1         3                   1         1            8\nEncryption                               1        1         1                     1         1                   1         1         1            8\nContingency planning                                        1         1           2                                       1                      5\nConfiguration management                          1                   1           2                                       1                      5\nInventory tracking                       1                                        1         1                                                    3\nRisk assessments                                            1                                         1                   1                      3\nSecurity configuration baselines                                      1           1                                                              2\n\nAccess Controls\nLogical access rights                             1                   1           1                   2                   2         1            8\nIdentification and authentication                 1                               2         1         1                   1                      6\nRemote access                            1                  1         1           1         1                   1                                6\nPhysical security                        1        1         1                     1                   1                                          5\n\nNetwork Operations Controls\nNetwork device management                         1                   2           2         1                   1         1         1            9\nPatch management                         1        1                   1           1         1                             1                      6\nAntivirus deployment                              1                   1           1                                                              3\nLogging and monitoring                                                1           1                                                              2\n\nTotal Findings                           5        9         6         10         17         7         8         3         10        4           79\n\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 4\n\x0cENTITYWIDE CONTROLS\n\nAn entitywide information security management program is the foundation of a security control\nstructure and a reflection of senior management\xe2\x80\x99s commitment to addressing security risks. The\nentitywide information security management program should establish a framework and\ncontinuous cycle of assessing risk, developing and implementing effective security procedures,\nand monitoring the effectiveness of these procedures. Without effective entitywide general\ncontrols, business process application level controls may be rendered ineffective by\ncircumvention or modification. We identified 34 entitywide control findings at the 10 State\nagencies and grouped these findings into 7 security control areas.\n\nSystem Security Plan\xe2\x80\x94Eight Findings Identified\n\nSystem security plans should be formalized at the system and application levels for networks,\nfacilities, and systems or groups of systems, as appropriate. These plans and related policies\nshould cover all major systems and facilities and should outline the duties of those who are\nresponsible for overseeing security and those who own, use, or rely on the State agency\xe2\x80\x99s ADP\nresources.\n\nWe identified eight findings in six States related to system security plans. For example, one\nState agency had not developed a formal, comprehensive system security plan that addressed the\ngeneral support system and major application elements of the MMIS. Without a formal,\ncomprehensive system security plan, State agencies could experience long-term consequences,\nincluding risks to data security, fraud, and monetary loss.\n\nEncryption\xe2\x80\x94Eight Findings Identified\n\nEncryption is used to protect the confidentiality of stored data and data that are being transmitted\nto and from the secured network via the Internet. Additionally, encryption is extremely\nimportant in protecting wireless access to the secured network and on portable storage devices.\nEstablishing encryption where necessary is a basic step for protecting sensitive data.\n\nWe identified eight findings in as many States related to encryption vulnerabilities. For example,\n1 State agency had not encrypted the hard drives of 14 portable laptop computers, leaving them\nsusceptible to unauthorized access.\n\nContingency Planning\xe2\x80\x94Five Findings Identified\n\nContingency plans should be formalized to ensure the availability of critical information systems\nand the continuity of operations in emergencies. These plans should contain detailed roles,\nresponsibilities, recovery team designations, and procedures associated with the restoration of an\ninformation system following a disruption.\n\nWe identified five findings in four States related to contingency planning vulnerabilities. For\nexample, in one State agency, management had not established policies and procedures requiring\n\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 5\n\x0cdisaster recovery testing and had not tested its disaster recovery plan to recover and reestablish\nbusiness functions related to its claims processing.\n\nConfiguration Management\xe2\x80\x94Five Findings Identified\n\nConfiguration management policies, plans, and procedures should be developed, documented,\nand implemented at the entitywide, system, and application levels to ensure an effective\nconfiguration management process. The procedures should cover employee roles and\nresponsibilities, change control and system documentation requirements, establishment of a\ndecisionmaking structure, and configuration management training. Configuration management\nshould be a key part of an entity\xe2\x80\x99s Systems Development Life Cycle methodology. 1\n\nWe identified five findings in four States regarding configuration management vulnerabilities.\nFor example, one State agency\xe2\x80\x99s network administrator was able to implement system changes as\nneeded without formal management approval or documented procedures for implementation and\ntesting, a practice that could have resulted in a compromise to data confidentiality, integrity, or\navailability of the system.\n\nInventory Tracking\xe2\x80\x94Three Findings Identified\n\nState agencies must maintain complete, accurate, and up-to-date inventories of their ADP\nsystems to implement effective security programs and minimize vulnerabilities in those systems.\nWithout an inventory process, an agency cannot effectively manage information security controls\nacross the agency. The inventory is necessary for effective monitoring, testing, and evaluation of\ninformation technology controls and for supporting information technology planning, budgeting,\nacquisition, and management.\n\nWe identified three findings in as many States related to inventory tracking vulnerabilities. For\nexample, one State agency had not established any type of formal agencywide inventory\nmechanism to account for all information system components and devices and was unable to\nidentify all workstations and servers that were authorized to access the secure network and so\nneeded to be properly secured.\n\nRisk Assessments\xe2\x80\x94Three Findings Identified\n\nRisk assessments should consider threats and vulnerabilities at the entitywide level, system level,\nand application levels. When State agencies perform risk assessments, they should consider\n(1) risks to data confidentiality, integrity, and availability and (2) the range of risks to their\nsystems and data, including those posed by authorized users and unauthorized outsiders who may\ntry to break into the systems.\n\nWe identified three findings in as many States related to risk assessment vulnerabilities. For\nexample, one State agency had not, since implementing its MMIS, performed a risk assessment\nof the MMIS to identify potential threats and vulnerabilities. By not performing a risk\n\n1\n  A Systems Development Life Cycle refers to the policies and procedures that govern software development and modification as\na software product goes through each phase of its life cycle.\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 6\n\x0cassessment, the State agency created the possibility that it would not have identified sensitive\ninformation or implemented required actions to reduce risks.\n\nSecurity Configuration Baselines\xe2\x80\x94Two Findings Identified\n\nEach State agency should maintain current configuration information for all systems in a formal\nconfiguration baseline that contains the configuration information formally designated at a\nspecific time during a system\xe2\x80\x99s life. Past configuration baselines with approved changes from\nthose baselines constitute the current configuration information. There should be a current and\ncomprehensive baseline inventory of hardware, software, and firmware, and it should be\nroutinely validated for accuracy.\n\nWe identified two findings in as many States related to security configuration baseline\nvulnerabilities. For example, one State agency had not established any documented baseline\nsecurity configurations to dictate the minimum security configuration settings for all deployed\nworkstations, servers, and network devices. That practice allowed system support staff to build\nand implement new servers and workstations without any oversight or review.\n\nACCESS CONTROLS\n\nAccess controls include physical controls, such as keeping computers in locked rooms to limit\nphysical access, and logical controls, such as security software programs designed to prevent or\ndetect unauthorized access to sensitive files. Access controls should be formally developed,\ndocumented, disseminated, and periodically updated to provide reasonable assurance that\ninformation security resources are protected against unauthorized modification, disclosure, loss,\nor impairment. Inadequate access controls diminish the reliability of computerized data and\nincrease the risk of destruction or inappropriate disclosure of data. It is fundamental that control\ntechniques for both physical and logical access controls be risk based. We identified 25 access\ncontrol findings at the 10 State agencies that we audited and grouped these findings into 4\nsecurity control areas.\n\nLogical Access Rights\xe2\x80\x94Eight Findings Identified\n\nEach State agency\xe2\x80\x99s process for managing user accounts should include the identification of the\nvarious account types (i.e., individual, group, system), the establishment of conditions for group\nmembership, and the assignment of associated authorizations. Additionally, resource owners\nshould periodically identify authorized users and specify access rights that are granted on the\nbasis of a valid need to know as determined by appropriate officials and should consider the\nproper segregation of duties. Furthermore, State agencies should notify account managers when\nusers have their employment terminated or are transferred and ensure that associated accounts\nare removed, disabled, or otherwise secured.\n\nWe identified eight findings in six States related to logical access rights. For example, one State\nagency had not established any formal policies regarding user account management and had not\nperformed periodic reviews of network accounts to ensure that access was appropriately\nauthorized and that accounts were properly configured. Without periodically reviewing user\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 7\n\x0caccounts and user access, State agencies run the risk of allowing personnel to gain inappropriate\naccess to sensitive Medicaid data and systems, access that could lead to improper activities.\n\nIdentification and Authentication\xe2\x80\x94Six Findings Identified\n\nState agencies should require that users and devices be appropriately identified and\nauthenticated. User authentication establishes the validity of a user\xe2\x80\x99s claimed identity, typically\nat the login to a system or application. Users can be authenticated by using mechanisms such as\nsmart cards; by providing a piece of information that users alone know (e.g., a password or\npersonal identification number); or through a unique means of physical identification such as a\nbiometric fingerprint or retina scan. User identifications and authentications should be designed\nto restrict access of legitimate users to the specific systems, programs, and files that they need\nand to prevent others, such as hackers, from entering the system.\n\nWe identified six findings in five States related to identification and authentication\nvulnerabilities. For example, one State agency had not enabled the network user account lockout\nfunction after unsuccessful login attempts, an error that could have allowed intruders to\nsuccessfully run automated login attack tools without detection.\n\nRemote Access\xe2\x80\x94Six Findings Identified\n\nThe use of remote access to connect users with the State agencies\xe2\x80\x99 secure networks via the\nInternet places Medicaid systems at a higher risk of compromise than those systems that are\nrestricted to the use of internal network users only. As a result of this increased risk, accepted\nstandards require State agencies to allow remote access only when two-factor authentication (in\nwhich one of the factors is provided by a device separate from the computer gaining access) is\nused and only when the remote access technology conforms to approved encryption standards.\n\nWe identified six findings in as many States related to remote access vulnerabilities. For\nexample, one State agency was using an insecure remote access method, which sent unencrypted\ndata (including passwords) across the Internet, to perform system administration functions within\nits MMIS.\n\nPhysical Security\xe2\x80\x94Five Findings Identified\n\nThe effectiveness of physical security controls depends on the State agencies\xe2\x80\x99 ability to\nimplement effective practices for reviewing access authorizations, controlling entry devices,\nrestricting entry during and after normal business hours, and controlling the entry and removal of\nresources from the facility. Access to facilities should be limited to those having a legitimate\nneed for access. Inadequate physical access controls diminish the availability of computerized\ndata and increase the risk of destruction or inappropriate disclosure of data.\n\nWe identified five findings in as many States related to physical security vulnerabilities. For\nexample, one State agency\xe2\x80\x99s physical access control policies and procedures did not address the\nreview of electronic badge access rights; consequently, some terminated employees still had\naccess to the datacenter housing the State agency\xe2\x80\x99s MMIS.\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 8\n\x0cNETWORK OPERATIONS CONTROLS\n\nOnce a network has been established, anyone with access to any computer on the network could\nattempt to attack resources on that network. Network administrators configure and monitor\nnetwork operating systems to ensure that the network is secure against such attacks.\n\nNetwork operations controls thus consist of the policies and procedures used to maintain,\nmanage, and secure the devices that connect to networks. Policies and procedures that keep\ndevices up to date and configured properly and the monitoring of the network activity and its\ndevices for security and maintenance issues are critical to the overall security and reliability of\nthe network. We identified 20 network operations control findings at 8 of the 10 State agencies\nthat we audited and grouped these findings into 4 security control areas.\n\nNetwork Device Management\xe2\x80\x94Nine Findings Identified\n\nNetwork device management consists of the policies and procedures for effectively managing the\nsecurity configurations on the entities\xe2\x80\x99 network firewalls, routers, and switches. Additionally,\nnetwork device management includes the operation of network management systems, which\nprovide administrators with the ability to control and monitor the network device configurations\nfrom a central location. Network management systems obtain status data from network devices,\nenable network managers to make configuration changes, and alert them of problems.\n\nWe identified nine findings in seven States related to network device management. For example,\none State agency had not implemented any formal policies and procedures for managing network\ndevices. In the absence of formal network device management policies and procedures,\nadministrators were using shared user accounts to administer the devices and there was no formal\nprocess for implementing and tracking configuration changes to network devices.\n\nPatch Management\xe2\x80\x94Six Findings Identified\n\nPatch management is the process of identifying, reporting, and effectively remediating\ninformation system flaws in an operating system or program. Timely patching helps\norganizations maintain operational efficiency and effectiveness, overcome security\nvulnerabilities, and maintain stability in the production environment. State agencies should\nestablish a documented, systematic, and accountable process for managing exposure to\nvulnerabilities through the timely deployment of patches.\n\nWe identified six findings in as many States related to patch management vulnerabilities. For\nexample, 1 State agency had not established an automated process for patching its network\ndevices and was attempting to manually patch and monitor more than 500 devices. Additionally,\napproximately 30 percent of that same State agency\xe2\x80\x99s Microsoft servers and workstations did not\nhave the latest patches. Without adequate patch management, systems may be susceptible to\nexploits that can lead to unauthorized disclosure, modification, or nonavailability of Medicaid\ndata because out-of-date systems are vulnerable to exploitation.\n\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 9\n\x0cAntivirus Deployment\xe2\x80\x94Three Findings Identified\n\nAntivirus management is the automated process used to effectively identify, isolate, and\neliminate malicious software. Antivirus software should be implemented and maintained on\ncomputers and critical information system entry points to detect and eradicate malicious software\ntransported by email, removable media, or other methods. Antivirus controls are important for\ndetection and removal of malicious computer viruses, which can infect computers or computer\nsystems.\n\nWe identified three findings in as many States related to antivirus deployment vulnerabilities.\nFor example, one State agency had not established formal policies and procedures to address the\nantivirus software deployment and update requirements. In the absence of formal antivirus\ndeployment policies and procedures, more than 1,000 workstations and 200 servers from the\nState agency\xe2\x80\x99s network were not reporting to the antivirus software control console, which was\nused to track the antivirus deployment and update status. Without updated antivirus deployment,\nState agencies expose their networks to known vulnerabilities, which could leave sensitive\nsystems and data susceptible to unauthorized access and exploitation.\n\nLogging and Monitoring\xe2\x80\x94Two Findings Identified\n\nComputer security log management is the process of generating, transmitting, analyzing, storing,\nand disposing of computer security log data. Computer security logs are generated by many\nsources, including security software, such as antivirus software, firewalls, and intrusion detection\nand prevention systems; operating systems on servers, workstations, and networking equipment;\nand applications. Given the number of sources and the volume of log data, an automated log\nmanagement system is essential for identifying security incidents, policy violations, fraudulent\nactivity, and operational problems.\n\nWe identified two findings in as many States related to logging and monitoring vulnerabilities.\nFor example, one State agency had not established network logging and monitoring policies and\nprocedures to address the types of information to be logged, the way in which those logs are to\nbe monitored, and the types of events that should be reported to management. Additionally, that\nsame State agency had not implemented a centralized log management system for all servers and\nhad not deployed any automated software to actively monitor and analyze the log data that were\nbeing captured, thereby increasing the risk that inappropriate access to Medicaid data had gone\nundetected by management.\n\n                                             CONCLUSION\n\nThis review aggregates findings from the individual reports that show serious vulnerabilities in\nthe 10 States\xe2\x80\x99 MMIS. The State agencies advised us, in their comments on the individual\nrestricted reports on information system general controls, that they were addressing the\nvulnerabilities that we had identified. The fact that some of the vulnerabilities were shared\namong the 10 State agencies suggests that other State Medicaid information systems may be\nsimilarly vulnerable. Medicaid agencies\xe2\x80\x99 management should make information system security\n\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 10\n\x0ca higher priority. We are continuing to conduct work in this area. This report is intended to\nprovide information to assist those State agencies and CMS in strengthening system security.\n\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 11\n\x0c               APPENDIX A: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe grouped the high- and moderate-impact audit findings from our previous, restricted reviews\nof information security general controls at 10 State agencies into 3 core categories of general\ncontrols: entitywide controls, access controls, and network operations security controls. Taken\ntogether, these groups of high- and moderate-impact audit findings identify high-risk\nvulnerabilities in the State agencies\xe2\x80\x99 MMIS. All of the vulnerabilities presented in this report\nwere noted in the previous reviews that we performed in CYs 2010, 2011, and 2012.\n\nMETHODOLOGY\n\nWe conducted the information security general controls audits in 10 States using selected\nprocedures from the Government Accountability Office\xe2\x80\x99s Federal Information Systems Controls\nAudit Manual, which provides guidance in evaluating general controls over computer-processed\ndata from information systems. However, the selected procedures performed at the State\nagencies chosen for this review varied; we did not review all of the control areas in all 10 State\nagencies. We conducted these audits by observing information security operations, interviewing\nState agency personnel, testing hardware and software configurations, and analyzing system\nsecurity reports.\n\nTo determine the potential impact of each finding, we used information described in the National\nInstitute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS)\nPublication 199, which defines the following three levels of potential impact should there be a\nbreach of security:\n\n    \xe2\x80\xa2   Low if the loss of confidentiality, integrity, or availability could be expected to have a\n        limited adverse effect on organizational operations, organizational assets, or individuals.\n\n    \xe2\x80\xa2   Moderate if the loss of confidentiality, integrity, or availability could be expected to\n        have a serious adverse effect on organizational operations, organizational assets, or\n        individuals.\n\n    \xe2\x80\xa2   High if the loss of confidentiality, integrity, or availability could be expected to have a\n        severe or catastrophic adverse effect on organizational operations, organizational assets,\n        or individuals.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 12\n\x0c                       APPENDIX B: FEDERAL REQUIREMENTS FOR\n                           INFORMATION SYSTEM SECURITY\n\nThe principal criteria used in these reviews included:\n\n    \xe2\x80\xa2   NIST Special Publication (SP) 800-12, An Introduction to Computer Security: The NIST\n        Handbook;\n\n    \xe2\x80\xa2   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n        Technology Systems;\n\n    \xe2\x80\xa2   NIST SP 800-16, Information Technology Security Training Requirements;\n\n    \xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\n    \xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Federal Information Systems;\n\n    \xe2\x80\xa2   NIST SP 800-40, version 2.0, Creating a Patch and Vulnerability Management Program;\n\n    \xe2\x80\xa2   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;\n\n    \xe2\x80\xa2   NIST SP 800-46, Guide to Enterprise Telework and Remote Access Security;\n\n    \xe2\x80\xa2   NIST SP 800-48, Guide to Securing Legacy IEEE 802.11 Wireless Networks;\n\n    \xe2\x80\xa2   NIST SP 800-53, revision 3, Recommended Security Controls for Federal Information\n        Systems and Organizations;\n\n    \xe2\x80\xa2   NIST SP 800-61, Computer Security Incident Handling Guide;\n\n    \xe2\x80\xa2   NIST SP 800-83, Guide to Malware Incident Prevention and Handling;\n\n    \xe2\x80\xa2   NIST SP 800-88, Guidelines for Media Sanitization;\n\n    \xe2\x80\xa2   NIST SP 800-92, Guide to Computer Security Log Management;\n\n    \xe2\x80\xa2   NIST SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE\n        802.11i;\n\n    \xe2\x80\xa2   NIST SP 800-100, Information Security Handbook: A Guide for Managers;\n\n    \xe2\x80\xa2   NIST SP 800-114, User\xe2\x80\x99s Guide to Securing External Devices for Telework and Remote\n        Access;\n\n    \xe2\x80\xa2   NIST SP 800-123, Guide to General Server Security;\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 13\n\x0c    \xe2\x80\xa2   NIST SP 800-124, Guidelines on Cell Phone and PDA [Personal Digital Assistant]\n        Security;\n\n    \xe2\x80\xa2   NIST FIPS Publication 199, Standards for Security Categorization of Federal\n        Information and Information Systems;\n\n    \xe2\x80\xa2   NIST FIPS Publication 200, Minimum Security Requirements for Federal Information\n        and Information Systems;\n\n    \xe2\x80\xa2   NIST FIPS Publication 140-2, Security Requirements for Cryptographic Modules;\n\n    \xe2\x80\xa2   Office of Management and Budget Circular A-130, Management of Federal Information\n        Resources, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Resources\xe2\x80\x9d; and\n\n    \xe2\x80\xa2   Title 45 CFR.\n\n\n\n\nHigh-Risk Security Vulnerabilities in the Automated Systems Used To Process Medicaid Claims (A-07-14-00433) 14\n\x0c'